Resouced Based Policy

Identity-based policies 绑定在IAM用户或role上面,就是平时使用的那种policy。

Resource-based policies 绑定在特定的resource上面,例如绑定在S3桶上、SQS队列、VPC endpoint、KMS。仅有小部分aws服务支持,可以查看此文档: AWS services that work with IAM .

使用resource-based policy,可以指定谁可以访问这些资源、执行哪些操作。这种只支持inline policy,不支持managed policy.

示例

管理员给 JohnSmith, CarlosSalazarMaryMajor 绑定了 identity-based policies,里面规定了他们都只能访问特定的资源,例如JohnSmith只能访问Resource X。管理员也给Resource X、Y、Z绑定了resource-based policies,里面规定了哪些人能访问这些资源,例如Resource X允许 JohnSmithMaryMajor 访问

Identity-based vs resource-based policies

最终效果:

  • JohnSmith – John can perform list and read actions on Resource X. He is granted this permission by the identity-based policy on his user and the resource-based policy on Resource X.
  • CarlosSalazar – Carlos can perform list, read, and write actions on Resource Y, but is denied access to Resource Z. The identity-based policy on Carlos allows him to perform list and read actions on Resource Y. The Resource Y resource-based policy also allows him write permissions. However, although his identity-based policy allows him access to Resource Z, the Resource Z resource-based policy denies that access. An explicit Deny overrides an Allow and his access to Resource Z is denied. For more information, see Policy evaluation logic .
  • MaryMajor – Mary can perform list, read, and write operations on Resource X, Resource Y, and Resource Z. Her identity-based policy allows her more actions on more resources than the resource-based policies, but none of them deny access.
  • ZhangWei – Zhang has full access to Resource Z. Zhang has no identity-based policies, but the Resource Z resource-based policy allows him full access to the resource. Zhang can also perform list and read actions on Resource Y.

总结

  • 如果同时声明了Identity-based policies resource-based policies ,则它们一起工作
  • 只要两个里面任意一个有Deny,则Deny优先生效。
  • 对于Allow,两个里面任意一个有Allow权限就会生效。

参考

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html